Category: Protocol Analysis

Wireshark is a wonderful tool, no doubt about it. But, on Microsoft Windows, there is one thing it isn’t so good at.

Microsoft decided to remove the local loopback interface in Windows 7. So capturing loopback traffic is rather difficult without modifying your system. Something I try to avoid if at all possible.

There are ways to install the loopback interface if you want, as documented here. There are also other means to achieve the same effect, also documented in the previous link.

Unless you need to do a lot of capturing, the chances are you’re going to want an easier, quicker way.

Happily, somebody has thought of that. Just download the RawCap utility kindly provided for free by NETRESEC and you don’t need to configure anything. You don’t even need to install any software, or even unzip. Just download and copy into your utils folder.

Here’s how to run RawCap:

RawCap.exe 1 dumpfile.pcap

The 1 is the identifier for the loopback interface and dumpfile.pcap is the output file. If you’re not sure, just run RawCap.exe and you’ll be prompted.

The output file is in PCAP format, so it’s a snap to load into Wireshark for later analysis.

NetFlow is a standard from Cisco for transferring of network analysis data across a network. The last thing you want to do with your routers and switches is give them the burden of analyzing network traffic, so Cisco came up with NetFlow so that you can offload the analysis to less CPU bound devices.

NTop – a traffic analyser that runs on most UNIX variants and Microsoft Windows. In addition, ntop includes Cisco NetFlow and sFlow support. For an introduction to NTop, please see this introduction to NTop video.

Flow-tools – a library and a collection of programs used to collect, send, process, and generate reports from NetFlow data.

I’ve noticed that the old Ethereal website is back up again after being offline for well over a year. The original Ethereal crew, including Gerald Combs the founder, disappeared over to Wireshark, where they created a fork due to problems with trademarks.

Not sure what’s going on. The website hasn’t been updated since 2007. The last version of Ethereal advertised on the site was 0.99.0 from 24th April 2006.

Chris Sanders is offering an online Wireshark training opportunity for the rather modest cost of $100. The course will cover analyzer placement on your cabling system, performing a network baseline and troubleshooting network latency.

Why should you be interested? They’re just enterprise doodads aren’t they?

Traditionally they have been enterprise tools…but that’s mainly because of price, not because large enterprises are the only ones with a requirement for them.

Even small networks use switches. The only way you can gain visibility on a switch, without affecting the system as a whole, is via network taps. Network taps provide a great way to troubleshoot your network without affecting the network itself in any way.

But, the biggest use for network taps is for running intrusion detection systems. Network taps afford a way for the intrusion detection system itself to be completely invisible to anything running on the network.

Hopefully, enterprise grade security tools will start to trickle down to smaller and smaller networks. There are a number of open source tools eminently suited to the task.

One of the big problems in a switched network is to access reliably network traffic for analysis or monitoring purposes. Many solutions require changes either to the hosts being monitored or require modifications to your network infrastructure.

Many managed switches have the ability to mirror the traffic on one or more ports. Mirroring simply involves the switch copying network traffic from one or more ports to another designated port. The switch still sends the network traffic to its original destination.

With a simple command you can start analysing the traffic on another switch port without having to touch any of the devices being analysed.

For instance, on a Cisco switch, the following command will mirror the source port to the destination port:

set span <source port> <destination port>

Port mirroring can be an ideal solution in some circumstances, it does have some problems though:

Port mirroring can indirectly affect the system being analysed. The switch, especially under high load, can cause the switch to drop packets and indeed to pause operation altogether;

Port mirroring can potentially pose a security risk. You can start mirroring a port via the switch’s command line interface, something or someone can stop mirroring it too;

Things become tricky on full duplex ports — in other words, where devices can send and receive at the same time, turning a 100 Mbp/s link into an effective 200 Mbp/s link — you may lose traffic if the port is running close to capacity.

The solution to the above problems comes in the shape of a network tap. Network taps remove the need to perform port mirroring on the switch so avoiding the chance that the switch’s performance will be affected.

Network taps are also completely out of band, nothing on the network can switch them off. If you wish to perform intrusion detection, you can be sure that your monitoring efforts are completely invisible to the potential intruders.

In the unlikely event of the network tap failing, the monitored system is completely unaffected.

Protocol analysers are difficult tools to master. Though, once mastered you’ll see the pay-off in increased productivity for the rest of your career. Many technologies come and go, but the fundamentals of how networks work changes slowly.

If self paced learning suits you best, a series of four self study courses are available:

Wireshark Functionality and Fundamentals

TCP/IP Network Analysis

Troubleshooting Network Performance

Wireshark Network Forensics and Security

If you prefer face to face, instructor led learning, that’s available too from the Wireshark Bootcamp. Courses are scheduled worldwide including the London, Munich, Netherlands & Sweden. Courses are scheduled for October so get your skates on! 🙂

WinPCap is a great Windows based, open source driver for packet sniffing wire-based networks using a bog standard network interface card. WinPCap is licensed under the General Public License (GPL).

From a commercial software developers perspective, the GPL can be quite intimidating. Consequently, a lot of commercial developers won’t touch GPL’ed code with a very long barge pole.

Fortunately, the developers of WinPCap have come up with a commercial developer friendly version of WinPCap, WinPCap Professional. Of course, you’ve got to pay, but as a commercial developer, you’re used to that! 😉

With WinPCap Professional you get an excellent packet sniffing library without the scary license and you get to support WinPCap open source development too. Everybody’s a winner!